Follow

Having a password field only appear after entering a username is a huge accessibility antipattern, isn't it? Why is everyone and their dog doing it now? It plays merry hell with my password autofill.

@Floppy which tool are you using?

I've spotted that pattern too, but KeePassXC (which I use, clearly) can be given custom fill patterns for a given form. For example

{USERNAME}{ENTER}{SLEEP 2}{PASSWORD}{ENTER}

Works well on the examples I've seen so far.

@gwmngilfen Macpass (another keepass client) - I might be able to do that, but GOD what a faff to do that for everything. :)

@Floppy yeah, giant PITA, agreed. It's not a nice pattern.

@Floppy It has to do with flexible authentication. For example, passwordless logon of any type, using TLS plus 2FA, or even just using bearer authentication.

@SuperFloppies
Good explanation, but then you don't need the username either.

@Floppy

@61 @Floppy No, you still need something to use as the lookup key. That’d be a username, email, or telephone number. Obviously, it’s preferable to have a username, since that is the only credential listed that is (most often) controlled by the user. Telephone numbers are insecure for a wide variety of uses, but are pretty much universally used.

@61 @Floppy I mean, you could use something like a QR code representing a 512-bit random integer, but that’s too complex for most users.

@SuperFloppies
Sleep deprived so perhaps I misunderstand. But if you have a TLS (X.509) certificate or bearer authentication, your authentication method has all the info needed already.

#2FA is complementary to a primary authentication method, as the name says. You cannot count it as an authentication method itself.

@Floppy

@61 @Floppy 2FA and passwordless auth are two different concepts, yes.

A TLS client certificate provides a username, a public key, and a signature from its issuer. Authentication with it requires only that the system recognize it and the user prove control of the associated private key.

Email passwordless auth uses email as the username and a code or link transmitted to the user as the proof of control of the email address.

Both can be used with TOTP.

@61 @Floppy If you auth with TLS you won’t even see a username prompt, in other words. At least if the software is done right. Otherwise page one prompts for ID, page two prompts for a credential that may not necessarily be a password. Putting a password prompt on page one leaks system info (namely that all users have passwords). 2FA should be used always, then.

Sign in to participate in the conversation
Open social media for the UK

A social media community hosted in the UK; part of the Mastodon/ActivityPub federated social network, which allows you to follow users on other communities. It's a bit like Twitter but without a single company in control.

If you use this server, you are required to abide by our Code of Conduct. If you don't like it, there are plenty of other communities you can use.

If you're coming here from Twitter, there are some very useful services to help you find friends and automatically crosspost toots that you might like to set up once you're signed in.

Backers

This is a volunteer-run community administered by @floppy, and hosted by Mastohost in the UK. Please support our running costs by joining the Open Collective and becoming a backer. Thanks go to our existing backers - this place exists because of them!

Service status is available from our status page and the @status account.